This detection rule targets brand impersonation attempts specifically related to Okta, a prominent identity and access management service provider. The rule executes multiple checks to determine if an incoming message is attempting to impersonate Okta. It examines the display name of the email sender for occurrences of 'Okta', as well as checking if the sender's email domain or email subject line contains 'Okta'. Furthermore, it ensures that the email does not have any references in its headers and isn't forwarded from trusted Okta domains like 'okta.com' or 'oktacdn.com' while having a passing DMARC status. The rule leverages machine learning to analyze screenshots of incoming messages, detecting visual logos of Okta with a confidence score. The sender's profile is also evaluated for new or outlier prevalence and any malicious activity without false positives. The rule includes checks to negate the message if it comes from trusted relay domains unless DMARC authentication fails. Given the tactics employed, including brand impersonation and social engineering, this rule provides a robust detection mechanism against credential phishing attacks.